

<!DOCTYPE html>
<html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js">
  <head>
    <meta charset="utf-8" />
<script async src="https://www.googletagmanager.com/gtag/js?id=G-9MDR73GM0K"></script>
<script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "G-9MDR73GM0K", {"groups":"default","page_placeholder":"PLACEHOLDER_page_location"});</script>
<link rel="canonical" href="https://www.cisa.gov/news-events/analysis-reports/ar23-209b" />
<meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.cisa.gov/news-events/analysis-reports/ar23-209b" />
<meta property="og:title" content="MAR-10454006-r2.v1 SEASPY Backdoor | CISA" />
<meta name="Generator" content="Drupal 9 (https://www.drupal.org)" />
<meta name="MobileOptimized" content="width" />
<meta name="HandheldFriendly" content="true" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" />

    <title>MAR-10454006-r2.v1 SEASPY Backdoor | CISA</title>
    <link rel="stylesheet" media="all" href="/core/modules/system/css/components/ajax-progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/autocomplete-loading.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/sticky-header.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tabledrag.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tree-child.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tablesaw-base.css?ryttwc" />
<link rel="stylesheet" media="screen" href="/modules/contrib/responsive_tables_filter/css/tablesaw-responsive.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/tables.columntoggle.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/responsive_tables_filter/css/customizations.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/filter/css/filter.caption.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/media/css/filter.caption.css?ryttwc" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/extlink/extlink.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/ckeditor-accordion.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?ryttwc" />
<link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&amp;family=Public+Sans:wght@400;500;600;700&amp;display=swap" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?ryttwc" />

    
  </head>
  <body  class="path-node not-front node-page node-page--node-type-advisory" id="top">
    
<div  class="c-skiplinks">
  <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a>
</div>
    
      <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas>
    

<div  class="l-site-container">
    
      
<section  class="usa-banner" aria-label="Official government website">
  <div class="usa-accordion">  <header class="usa-banner__header">
    <div class="usa-banner__inner">
      <div class="grid-col-auto">
        <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" />
      </div>
      <div class="grid-col-fill tablet:grid-col-auto">
        <p class="usa-banner__header-text">An official website of the United States government</p>
              <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div>
        <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner">
          <span class="usa-banner__button-text">Here’s how you know</span>
        </button>
          </div>
  </header>
      <div class="usa-banner__content usa-accordion__content" id="gov-banner">
      <div class="grid-row grid-gap-lg">
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov">
            <div class="usa-media-block__body">
              <p>
                <strong>Official websites use .gov</strong>
                <br> A <strong>.gov</strong> website belongs to an official government organization in the United States.
              </p>
            </div>
          </div>
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS">
            <div class="usa-media-block__body">
              <p>
                <strong>Secure .gov websites use HTTPS</strong>
                <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
              </p>
            </div>
          </div>
              </div>
    </div>
  </div>
  </section>

  
  


<div class="usa-overlay"></div>
<header  class="usa-header usa-header--extended" role="banner">
        
<div  class="usa-navbar">
  <div class="l-constrain">
    <div class="usa-navbar__row">
      <div class="usa-navbar__brand">
        
<a  class="c-site-name" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
      </div>
      <div class="usa-navbar__search">
        <div class="usa-navbar__search-header">
          <p>Search</p>
        </div>
        
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
      </div>
      <button class="mobile-menu-button usa-menu-btn">Menu</button>
    </div>
  </div>
</div>
    

<nav  class="usa-nav" role="navigation" aria-label="Primary navigation">
  <div class="usa-nav__inner l-constrain">
    <div class="usa-nav__row">
      <button class="usa-nav__close">Close</button>
      
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
                
  
          <ul class="usa-nav__primary usa-accordion">
    
    
              <li class="usa-nav__primary-item topics">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1">
          <span>Topics</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/topics">Topics</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cybersecurity-best-practices">
          <span>Cybersecurity Best Practices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cyber-threats-and-advisories">
          <span>Cyber Threats and Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/critical-infrastructure-security-and-resilience">
          <span>Critical Infrastructure Security and Resilience</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/election-security">
          <span>Election Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/emergency-communications">
          <span>Emergency Communications</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/industrial-control-systems">
          <span>Industrial Control Systems</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/information-communications-technology-supply-chain-security">
          <span>Information and Communications Technology Supply Chain Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/partnerships-and-collaboration">
          <span>Partnerships and Collaboration</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/physical-security">
          <span>Physical Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/risk-management">
          <span>Risk Management</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          

<div  class="c-menu-feature-links">
      <div class="c-menu-feature-links__title">
      <a href="/audiences">        How can we help?
      </a>    </div>
        <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a></div>
  </div>

              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item spotlight">
      
      
                      <a href="/spotlight" class="usa-nav__link" >
          <span>Spotlight</span>
        </a>
              
              </li>
          
              <li class="usa-nav__primary-item resources--tools">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3">
          <span>Resources &amp; Tools</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/resources-tools">Resources &amp; Tools</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/all-resources-tools">
          <span>All Resources &amp; Tools</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/services">
          <span>Services</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/programs">
          <span>Programs</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/resources">
          <span>Resources</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/training">
          <span>Training</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/groups">
          <span>Groups</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item news--events">
      
              <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-4">
          <span>News &amp; Events</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/news-events">News &amp; Events</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/news">
          <span>News</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/events">
          <span>Events</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/cybersecurity-advisories">
          <span>Cybersecurity Alerts &amp; Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/directives">
          <span>Directives</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/request-speaker">
          <span>Request a CISA Speaker</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/congressional-testimony">
          <span>Congressional Testimony</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item careers">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5">
          <span>Careers</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/careers">Careers</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/benefits-perks">
          <span>Benefits &amp; Perks</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/hirevue-applicant-reasonable-accommodations-process">
          <span>HireVue Applicant Reasonable Accommodations Process</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/general-recruitment-and-hiring-faqs">
          <span>Hiring</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/resume-application-tips">
          <span>Resume &amp; Application Tips</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/students-recent-graduates-employment-opportunities">
          <span>Students &amp; Recent Graduates</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/veteran-and-military-spouse-employment-opportunities">
          <span>Veteran and Military Spouses</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/work-cisa">
          <span>Work @ CISA</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item about">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6">
          <span>About</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/about">About</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/culture">
          <span>Culture</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/divisions-offices">
          <span>Divisions &amp; Offices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/regions">
          <span>Regions</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/leadership">
          <span>Leadership</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/doing-business-cisa">
          <span>Doing Business with CISA</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/contact-us">
          <span>Contact Us</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/site-links">
          <span>Site Links</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/reporting-employee-and-contractor-misconduct">
          <span>Reporting Employee and Contractor Misconduct</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/cisa-github">
          <span>CISA GitHub</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
    
      </ul>
    
  


                    <a href="/report" class="c-button c-button--report">Report a Cyber Issue</a>
          </div>
  </div>
</nav>
    </header>


  <div class="gesso-mobile-tagline-container">
    <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
  </div>

  
  
<div  class="l-breadcrumb">
  <div class="l-constrain">
    <div class="l-breadcrumb__row">
      







  
  
    

  
              


<nav  aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation">
  <div class="l-constrain">
    <div
       id="breadcrumb-label" class="c-breadcrumb__title  u-visually-hidden">Breadcrumb</div>
    <ol class="c-breadcrumb__list">
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/">Home</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events">News & Events</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories">Cybersecurity Advisories</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A65">Analysis Report</a>
                  </li>
          </ol>
  </div>
</nav>

  
  
  
  






  <div  id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block">

  
  
    

      <div  class="c-block__content">
  
      <div class="c-block__row">
      <span>Share:</span>
      

<div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div>

<div class="social-sharing-buttons">
                <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/analysis-reports/ar23-209b&amp;title=MAR-10454006-r2.v1%20SEASPY%20Backdoor%20" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons__button share-facebook" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" />
            </svg>
        </a>
    
                <a href="https://twitter.com/intent/tweet?text=MAR-10454006-r2.v1%20SEASPY%20Backdoor%20+https://www.cisa.gov/news-events/analysis-reports/ar23-209b" target="_blank" title="Share to Twitter" aria-label="Share to Twitter" class="social-sharing-buttons__button share-twitter" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#twitter" />
            </svg>
        </a>
    
        
        
        
                <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/analysis-reports/ar23-209b" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons__button share-linkedin" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" />
            </svg>
        </a>
    
        
        
        
        
        
                <a href="mailto:?subject=MAR-10454006-r2.v1%20SEASPY%20Backdoor%20&amp;body=https://www.cisa.gov/news-events/analysis-reports/ar23-209b" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons__button share-email" target="_blank" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" />
            </svg>
        </a>
    
        
    </div>

    </div>
  
      </div>
  
  
  </div>

    </div>
  </div>
</div>

  
  

  <main id="main" class="c-main" role="main" tabindex="-1">
    
      
    


<div  class="l-content">
          







  
  
    

  
            





<div  role="article" class="is-promoted l-full">
    <div class="l-full__header">
        
<div  class="c-page-title">
  <div class="c-page-title__inner l-constrain">
    <div class="c-page-title__row">
      <div class="c-page-title__content">
                  <div class="c-page-title__meta">Analysis Report</div>
                <h1 class="c-page-title__title">
<span>MAR-10454006-r2.v1 SEASPY Backdoor </span>
</h1>
                                                          <div class="c-page-title__fields">  




<div  class="c-field c-field--name-field-release-date c-field--type-datetime c-field--label-above">
  <div  class="c-field__label">Release Date</div><div class="c-field__content"><time datetime="2023-07-28T12:00:00Z">July 28, 2023</time></div></div>

  




<div  class="c-field c-field--name-field-alert-code c-field--type-string c-field--label-above">
  <div  class="c-field__label">Alert Code</div><div class="c-field__content">AR23-209B</div></div>

</div>
                        
        
      </div>
          </div>
    <div class="c-page-title__decoration"></div>
  </div>
</div>
    </div>
    <div class="l-full__main">
                      

<div  class="l-page-section l-page-section--rich-text">
      <div class="l-constrain">
  
  
  <div class="l-page-section__content">
          <p>  </p>
<table id="cma-table" class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap=""><thead></thead><tbody><tr><td>
<h3>Notification</h3>
<p>This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.</p>
<p>This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.</p>
<h3>Summary</h3>
<h5>Description</h5>
<p>CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).</p>
<p>			SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.</p>
<p>			For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: <a href="/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors">CISA Releases Malware Analysis Reports on Barracuda Backdoors</a>.</p>
<p>Download the PDF version of this report:</p>



<div class="align-center c-file">
    <div class="c-file__download">
    <a href="/sites/default/files/2023-07/MAR-10454006.r2.v1.CLEAR_.pdf" class="c-file__link" target="_blank">AR23-209B PDF</a>
    <span class="c-file__size">(PDF,       354.36 KB
  )</span>
  </div>
</div>
<p>For a downloadable copy of IOCs associated with this MAR in JSON format, see:</p>



<div class="align-center c-file">
    <div class="c-file__download">
    <a href="/sites/default/files/2023-07/MAR-10454006.r2.v1.CLEAR_stix2.json" class="c-file__link" target="_blank">AR23-209B JSON</a>
    <span class="c-file__size">(JSON,       19.83 KB
  )</span>
  </div>
</div>
<h5>Submitted Files (2)</h5>
<p>3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb (BarracudaMailService.1)</p>
<p>69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192 (6931018-BarracudaMailService.2)</p>
<h3>Findings</h3>
<h4>69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192</h4>
<h5>Tags</h5>
<p>trojan</p>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th role="columnheader" data-tablesaw-priority="persist">Name</th>
<td>6931018-BarracudaMailService.2</td>
</tr><tr><th role="columnheader">Size</th>
<td>2924089 bytes</td>
</tr><tr><th role="columnheader">Type</th>
<td>ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=495062eaa63784dad0a098d58892f58deb47ea66, with debug_info, not stripped</td>
</tr><tr><th role="columnheader">MD5</th>
<td>5d6cba7909980a7b424b133fbac634ac</td>
</tr><tr><th role="columnheader">SHA1</th>
<td>d114a707fc6abbd8060f821893a9ee64dc3b2714</td>
</tr><tr><th role="columnheader">SHA256</th>
<td>69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192</td>
</tr><tr><th role="columnheader">SHA512</th>
<td>ef966e1d679daa44ee4c86848b71a0be27a79c8824eba8e74c866322e59a8bdce66b32f3d4417256af351f87dd149a73ed7e8e40df5794c5273cf029d04b6f25</td>
</tr><tr><th role="columnheader">ssdeep</th>
<td>49152:IaMq45lHsbhe9YBU80A3hvJeD7ANjQ4maMTFhmwzHPm0WhphC:oqJh4YWkLeDKOhmwa0WhphC</td>
</tr><tr><th role="columnheader">Entropy</th>
<td>6.165718</td>
</tr><tr><th role="columnheader">Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<table><tbody><tr><th role="columnheader">ESET</th>
<td>a variant of Linux/SeaSpy.A trojan</td>
</tr><tr><th role="columnheader">McAfee</th>
<td>Linux/Seaspy!5D6CBA790998</td>
</tr></tbody></table><h5>YARA Rules</h5>
<ul><li>rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10452108"<br />
				       Date = "2023-06-20"<br />
				       Last_Modified = "20230628_1000"<br />
				       Actor = "n/a"<br />
				       Family = "SEASPY"<br />
				       Capabilities = "communicates-with-c2 installs-other-components"<br />
				       Malware_Type = "backdoor"<br />
				       Tool_Type = "unknown"<br />
				       Description = "Detects malicious Linux SEASPY samples"<br />
				       SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"<br />
				       SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"<br />
				       SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"<br />
				       SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"<br />
				   strings:<br />
				       $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }<br />
				       $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }<br />
				       $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }<br />
				       $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }<br />
				       $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }<br />
				       $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }<br />
				       $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }<br />
				       $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }<br />
				       $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }<br />
				       $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }<br />
				       $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }<br />
				   condition:<br />
				       uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>This artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. The sample is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s (TA) Command-and-Control (C2) through Transmission Control Protocol (TCP) packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string "oXmp". Note: This hard-coded string may change for other SEASPY variants. When the right sequence of packet is captured, it establishes a TCP reverse shell to the TA's C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.</p>
<p>			The malware is based on an open-source backdoor program named "cd00r" and it is executed using the parameter below:</p>
<p>			--Begin argument—<br />
			Usage: "./BarracudaMailService &lt;Network-Interface&gt;"<br />
			Sample: "./&lt;malware&gt; eth0"<br />
			--End argument—</p>
<h5>Screenshots</h5>
  
  
  
  
<figure class="c-figure c-figure--large c-figure--image u-align-center" role="group"><div class="c-figure__media">  <img loading="lazy" src="/sites/default/files/styles/large/public/2023-07/AR23-209B%20Figure%201.jpg?itok=O-MtQggI" width="600" height="343" alt="Figure 1" /></div>
  </figure><p><strong>Figure 1. - </strong>This is disassembler output showing how the malware checks the parameters that the malware was executed with.</p>
<h4>3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb</h4>
<h5>Tags</h5>
<p>trojan</p>
<h5>Details</h5>
<p>			--&gt;</p>
<table><tbody><tr><th role="columnheader">Name</th>
<td>BarracudaMailService.1</td>
</tr><tr><th role="columnheader">Size</th>
<td>2924089 bytes</td>
</tr><tr><th role="columnheader">Type</th>
<td>ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=41942e680be29136ce7f1cdc9a15fd43968b0db0, with debug_info, not stripped</td>
</tr><tr><th role="columnheader">MD5</th>
<td>32ffe48d1a8ced49c53033eb65eff6f3</td>
</tr><tr><th role="columnheader">SHA1</th>
<td>2c7ad0e7897f348bec2e32f2af4282bd65916f8d</td>
</tr><tr><th role="columnheader">SHA256</th>
<td>3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb</td>
</tr><tr><th role="columnheader">SHA512</th>
<td>12fd230c78c9e14b1bbb7f3c6776a14710693fa4224b4376775f118fc35584a5946a57dda43db20bd9ffc2950f4e62e8c206506744bca5fe39e6cb9a1a91b981</td>
</tr><tr><th role="columnheader">ssdeep</th>
<td>49152:bgt0bmh2EXaRuFmK3cnlBceICm4ewQ/MTs/dgPm0WhphC:Ma0gug7bceI4ih/dp0WhphC</td>
</tr><tr><th role="columnheader">Entropy</th>
<td>6.165197</td>
</tr><tr><th role="columnheader">Malware Result</th>
<td>unknown</td>
</tr></tbody></table><h5>Antivirus</h5>
<table><tbody><tr><th role="columnheader">ESET</th>
<td>a variant of Linux/SeaSpy.A trojan</td>
</tr><tr><th role="columnheader">McAfee</th>
<td>Linux/Seaspy!32FFE48D1A8C</td>
</tr></tbody></table><h5>YARA Rules</h5>
<ul><li>rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components<br />
				{<br />
				   meta:<br />
				       Author = "CISA Code &amp; Media Analysis"<br />
				       Incident = "10452108"<br />
				       Date = "2023-06-20"<br />
				       Last_Modified = "20230628_1000"<br />
				       Actor = "n/a"<br />
				       Family = "SEASPY"<br />
				       Capabilities = "communicates-with-c2 installs-other-components"<br />
				       Malware_Type = "backdoor"<br />
				       Tool_Type = "unknown"<br />
				       Description = "Detects malicious Linux SEASPY samples"<br />
				       SHA256_1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"<br />
				       SHA256_2 = "69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192"<br />
				       SHA256_3 = "5f5b8cc4d297c8d46a26732ae47c6ac80338b7be97a078a8e1b6eefd1120a5e5"<br />
				       SHA256_4 = "10efa7fe69e43c189033006010611e84394569571c4f08ea1735073d6433be81"<br />
				   strings:<br />
				       $s0 = { 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }<br />
				       $s1 = { 75 73 61 67 65 3a 20 2e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6C 53 65 72 76 69 63 65 20 3c 4e 65 74 77 6f 72 6b 2d 49 6e 74 65 72 66 61 63 65 }<br />
				       $s2 = { 65 6e 74 65 72 20 6f 70 65 6e 20 74 74 79 20 73 68 65 6c 6c }<br />
				       $s3 = { 25 64 00 4e 4f 20 70 6f 72 74 20 63 6f 64 65 }<br />
				       $s4 = { 70 63 61 70 5f 6c 6f 6f 6b 75 70 6e 65 74 3a 20 25 73 }<br />
				       $s5 = { 43 68 69 6c 64 20 70 72 6f 63 65 73 73 20 69 64 3a 25 64 }<br />
				       $s6 = { 5b 2a 5d 53 75 63 63 65 73 73 21 }<br />
				       $a7 = { bf 90 47 90 ec 18 fe e3 83 e2 a9 f7 8d 85 18 1d }<br />
				       $a8 = { 81 35 1e f0 94 ab 2a ba 5d f0 37 76 69 19 9f 1e }<br />
				       $a9 = { 6a 8e c7 89 ce c1 fe 64 78 a6 e1 c5 fe 03 d1 a7 }<br />
				       $a10 = { c2 ff d1 0d 24 23 ec c0 57 f9 8d 4b 05 34 41 b8 }<br />
				   condition:<br />
				       uint32(0) == 0x464c457f and (all of ($s*)) or ( all of ($a*))<br />
				}</li>
</ul><h5>ssdeep Matches</h5>
<p>No matches found.</p>
<h5>Description</h5>
<p>This artifact is a 64-bit ELF file that has been identified as a "SEASPY" malware variant installed as a system service. This sample has the sample malicious capabilities as BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac). The only difference between the binaries is located in the function named "start_pcap_listener". In the function "start_pcap_listener" both binaries call a function named "reverse shell" to start the reverse shell functionality of the malware. The difference is that BarracudaMailService.1 (32ffe48d1a8ced49c53033eb65eff6f3) jumps directly to the set of instructions that start the reverse shell, as opposed to BarracudaMailService.2 (5d6cba7909980a7b424b133fbac634ac), which contains an extra set of instructions before jumping to the instructions that start the reverse shell.</p>
<h3>Recommendations</h3>
<p>CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.</p>
<ul><li>Maintain up-to-date antivirus signatures and engines.</li>
<li>Keep operating system patches up-to-date.</li>
<li>Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li>
<li>Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.</li>
<li>Enforce a strong password policy and implement regular password changes.</li>
<li>Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.</li>
<li>Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.</li>
<li>Disable unnecessary services on agency workstations and servers.</li>
<li>Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).</li>
<li>Monitor users' web browsing habits; restrict access to sites with unfavorable content.</li>
<li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).</li>
<li>Scan all software downloaded from the Internet prior to executing.</li>
<li>Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).</li>
</ul><p>Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, <strong>"Guide to Malware Incident Prevention &amp; Handling for Desktops and Laptops".</strong></p>
<h3>Contact Information</h3>
<ul><li>1-888-282-0870</li>
<li><a href="mailto:CISAservicedesk@cisa.dhs.gov">CISA Service Desk</a> (UNCLASS)</li>
<li><a href="mailto:NCCIC@dhs.sgov.gov">CISA SIPR</a> (SIPRNET)</li>
<li><a href="mailto:NCCIC@dhs.ic.gov">CISA IC</a> (JWICS)</li>
</ul><p>CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: <a href="https://us-cert.cisa.gov/forms/feedback/">https://us-cert.cisa.gov/forms/feedback/</a></p>
<h3>Document FAQ</h3>
<p><strong>What is a MIFR?</strong> A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.</p>
<p><strong>What is a MAR?</strong> A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.</p>
<p><strong>Can I edit this document?</strong> This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or <a href="mailto:CISAservicedesk@cisa.dhs.gov">CISA Service Desk</a>.</p>
<p><strong>Can I submit malware to CISA?</strong> Malware samples can be submitted via three methods:</p>
<ul><li>Web: <a href="https://malware.us-cert.gov">https://malware.us-cert.gov</a></li>
<li>E-Mail: <a href="mailto:submit@malware.us-cert.gov">submit@malware.us-cert.gov</a></li>
<li>FTP: ftp.malware.us-cert.gov (anonymous)</li>
</ul><p>CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at <a href="http://www.cisa.gov">www.cisa.gov</a>.</p>
<h3>Acknowledgments</h3>
<p>Mandiant contributed to this report.</p>
</td>
</tr></tbody><tfoot><tr><td> </td>
</tr></tfoot></table>
      </div>

  
      </div>
  </div>
      <div class="l-constrain l-page-section--rich-text">
        <div class="l-page-section__content">
          




<div  class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden">
  <div class="c-field__content"><p>This product is provided subject to this <a href="/notification" rel="nofollow noopener" target="_blank" title="Follow link">Notification</a> and this <a href="/privacy-policy" rel="nofollow noopener" target="_blank" title="Follow link">Privacy &amp; Use</a> policy.</p></div></div>

        </div>
      </div>
            </div>
        <div class="l-full__footer">
                              
<div class="l-constrain">
  <div class="l-page-section--rich-text">
    <div class="l-page-section__content">
      <div  class="c-product-survey l-page-section--tags l-page-section--rich-text">
        <div class="c-product-survey__top-bar"></div>
        <div class="c-product-survey__content-area">
          <div class="c-product-survey__icon"></div>
          <div class="c-product-survey__text-area">
            <h2>Please share your thoughts</h2>
            <p>We recently updated our anonymous <a href="https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/analysis-reports/ar23-209b">product survey</a>; we’d welcome your feedback.</p>
          </div>
        </div>
      </div>
    </div>
  </div>
</div>
          

  

<div  class="c-view c-view--detail-page-related-content c-view--display-block_2 view js-view-dom-id-8028145d2ed8ade9dc9938081641da4a808249a1abc0f33b5153715083274859 c-collection c-collection--blue c-collection--two-column">
  <div class="l-constrain">
    <div class="c-collection__row">
              <div class="c-collection__content">
                      <h2 class="c-collection__title"><span class="c-collection__title-wrap">Related Advisories</span></h2>
                                      </div>
                  <div class="c-collection__cards">
        



      



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-09T12:00:00Z">Aug 09, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-221A</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-221a" target="_self">          
<span>MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors</span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-28T12:00:00Z">Jul 28, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-209C</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-209c" target="_self">          
<span>MAR-10454006-r3.v1 Exploit Payload Backdoor </span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-28T12:00:00Z">Jul 28, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-209A</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-209a" target="_self">          
<span>MAR-10454006-r1.v2 SUBMARINE Backdoor</span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-07-06T12:00:00Z">Jul 06, 2023</time>
</div>
                                <div class="c-teaser__meta">Analysis Report | AR23-187A</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/analysis-reports/ar23-187a" target="_self">          
<span>MAR-10445155-1.v1 Truebot Activity Infects U.S. and Canada Based Networks</span>

        </a>      </h3>
          </div>
  </div>
</article>


  
      </div>
    </div>
          </div>
</div>


          </div>
  </div>
  
  
  
  

      </div>

  
  </main>

  

<footer  class="usa-footer usa-footer--slim" role="contentinfo">
    <div class="usa-footer__return-to-top">
    <div class="l-constrain">
      <a href="#">Return to top</a>
    </div>
  </div>
    <div class="usa-footer__upper">
    <div class="l-constrain">
      







  
  
    

  
            

                                <ul  class="c-menu c-menu--footer-main">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources &amp; Tools</a>
                        </li>
    
                                            
                                                    
      
      
      <li  class="c-menu__item is-active-trail">
                              <a href="/news-events" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7332">News &amp; Events</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a>
                        </li>
        </ul>
  

  
  
  
  

    </div>
  </div>
    <div class="usa-footer__main">
    <div class="l-constrain">
      <div class="usa-footer__main-row">
        <div class="usa-footer__brand">
          
<a  class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        </div>
        <div class="usa-footer__contact">
                      

                                <ul  class="c-menu c-menu--social">
        
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a>
                        </li>
        </ul>
  

                    <div class="usa-footer__contact-info">
            <span>CISA Central</span>
            <a href="tel:8882820870">888-282-0870</a>
            <a href="mailto:central@cisa.dhs.gov">Central@cisa.dhs.gov</a>
          </div>
        </div>
      </div>
    </div>
  </div>
    <div class="usa-footer__lower">
    <div class="l-constrain">
      <div class="usa-footer__lower-row">
        <div class="usa-footer__lower-left">
          
<div  class="c-dhs-logo">
  <div class="c-dhs-logo__seal">DHS Seal</div>
  <div class="c-dhs-logo__content">
    <div class="c-dhs-logo__url">CISA.gov</div>
    <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div>
  </div>
</div>                      


                                <ul  class="c-menu c-menu--footer">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/accessibility" class="c-menu__link js-top-level" title="Accessibility" aria-current="false">Accessibility</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/cisa-no-fear-act-reporting" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false">No FEAR Act</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a>
                        </li>
        </ul>
  

                  </div>
        <div class="usa-footer__lower-right">
          <iframe
            src="https://www.dhs.gov/ntas/"
            name="National Terrorism Advisory System"
            title="National Terrorism Advisory System"
            width="170"
            height="180"
            scrolling="no"
            frameborder="0"
            seamless border="0"
          ></iframe>
        </div>
      </div>
    </div>
  </div>
</footer>


</div>

  </div>

    
        <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"node\/18537","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"google_analytics":{"account":"G-9MDR73GM0K","trackOutbound":true,"trackMailto":true,"trackTel":true,"trackDownload":true,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip"},"data":{"extlink":{"extTarget":false,"extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","mailtoClass":"mailto","mailtoLabel":"(link sends email)","extUseFontAwesome":false,"extIconPlacement":"append","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","whitelistedDomains":[]}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0}},"user":{"uid":0,"permissionsHash":"2e28e3d4cecae698758a87360e5c783a3a6bbf12a454265e787234af3fdfaba5"}}</script>
<script src="/core/assets/vendor/jquery/jquery.min.js?v=3.6.3"></script>
<script src="/core/misc/polyfills/element.matches.js?v=9.5.10"></script>
<script src="/core/misc/polyfills/object.assign.js?v=9.5.10"></script>
<script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script>
<script src="/core/assets/vendor/jquery-once/jquery.once.min.js?v=2.2.3"></script>
<script src="/core/misc/drupalSettingsLoader.js?v=9.5.10"></script>
<script src="/core/misc/drupal.js?v=9.5.10"></script>
<script src="/core/misc/drupal.init.js?v=9.5.10"></script>
<script src="/modules/contrib/google_analytics/js/google_analytics.js?v=9.5.10"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?ryttwc"></script>
<script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?" id="_fed_an_ua_tag"></script>
<script src="/modules/contrib/extlink/extlink.js?v=9.5.10"></script>
<script src="/core/misc/jquery.once.bc.js?v=9.5.10"></script>
<script src="/modules/contrib/ckeditor_accordion/js/ckeditor-accordion.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/tablesaw.min.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/tablesaw-init.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/Drupal/ajaxComplete.js?v=1.x"></script>
<script src="/modules/contrib/responsive_tables_filter/js/customizations.js?v=1.x"></script>

  </body>
</html>
